Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / fsverity-utils / be980faf6de9e451310c9124444bcddbc03404cc
commitbe980faf6de9e451310c9124444bcddbc03404cc[log] [tgz]
authorEric Biggers <ebiggers@google.com>Wed Jun 27 15:01:06 2018 -0700
committerEric Biggers <ebiggers@google.com>Wed Jun 27 15:01:06 2018 -0700
treeb839f5acb25cb3adc0081d13764db0c655e86bb7
parent431c67bd2e5c420dd7026966185a685bd6d04a19 [diff]
Add a README file with some basic examples

Signed-off-by: Eric Biggers <ebiggers@google.com>
1 file changed
tree: b839f5acb25cb3adc0081d13764db0c655e86bb7
  1. debian/
  2. .gitignore
  3. cmd_enable.c
  4. cmd_set_measurement.c
  5. cmd_setup.c
  6. commands.h
  7. COPYING
  8. elide_patch.c
  9. fsverity.c
  10. fsverity_sys_decls.h
  11. fsveritysetup.h
  12. full-run-fsverity.sh
  13. hash_algs.c
  14. hash_algs.h
  15. Makefile
  16. mkfsverity.sh
  17. README.md
  18. sign.c
  19. util.c
  20. util.h
README.md

Introduction

This is fsverity, the userspace utility for fs-verity. fs-verity is a Linux kernel feature that does transparent on-demand integrity/authenticity verification of the contents of read-only files, using a Merkle tree (hash tree) hidden after the end of the file. The mechanism is similar to dm-verity, but implemented at the file level rather than at the block device level. The fsverity utility allows you to set up fs-verity protected files.

Currently, fs-verity is supported by the ext4 and f2fs filesystems.

Building and installing

The fsverity utility uses the OpenSSL and zlib libraries, so you first must install the needed development files. For example, on Debian-based systems, run:

    sudo apt-get install libssl-dev libz-dev

OpenSSL must be version 1.0.0 or later.

Then, to build and install:

    make
    sudo make install

Examples

    mkfs.f2fs -O verity /dev/vdc
    mount /dev/vdc /vdc
    cd /vdc

    # Create a test file
    head -c 1000000 /dev/urandom > file
    md5sum file

    # Append the Merkle tree and other metadata to the file, and
    # sign the file with the kernel build-time generated key:
    fsverity setup file --signing-key ~/linux/certs/signing_key.pem

    # Enable fs-verity on the file
    fsverity enable file

    # Contents are now transparently verified and should match the
    # original file contents, i.e. the metadata is hidden.
    md5sum file

Usage without signing the file (deprecated, requires that the kernel was built with CONFIG_FS_VERITY_USERSPACE_SIG_VERIFY=y):

    m=$(fsverity setup file | awk '/measurement/{print $3}')
    fsverity enable file
    fsverity set_measurement file $m
    md5sum file

Notices

Copyright (C) 2018 Google, Inc.

License GPLv2+. Permission to link to OpenSSL (libcrypto) is granted.

This is not an official Google product.

Do not fold, spindle, or mutilate.

Send questions, bug reports, and patches to linux-fscrypt@vger.kernel.org.